(19) 



J) 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



(11) 



EP 1 146 715 A1 



(12) 



(43) Date of publication: 

17.10.2001 Bulletin 2001/42 

(21) Application number: 01107388.9 

(22) Date of filing: 26.03.2001 



EUROPEAN PATENT APPLICATION 

i 

(51) mtci7: H04L 29/06, G06F 1/00 



(84) 


Designated Contracting States: 


(72) 


Inventors: 


AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 


• 


Wang, Xin 




MC NL PT SE TR 




Los Angeles, CA 90007 (US) 




Designated Extension States: 


• 


Ta, Thanh T. 




AL LT LV MK RO SI 




Huntington Beach, CA 92648 (US) 


(30) 


Priority: 24.03.2000 US 536325 


(74) 


Representative: Grunecker, Kinkeldey, 




Stockmair & Schwanhausser Anwaltssozietat 


(71) 


Applicant: ContentGuard Holdings, Inc. 




Maximilianstrasse 58 


Wilmington, Delaware 19803 (US) 




80538 Munchen (DE) 



(54) System and method lor protection of digital works 



(57) A method of protecting a digital work uses a 
blind transformation function to transform an encrypted 
digital work into encrypted presentation data. The orig- 
inator's digital content is protected in its original form by 
not being decrypted. This method enables the rendering 
or replay application to process the encrypted document 
into encrypted presentation data without decrypting it 



first. Encrypted presentation data is then decrypted just 
before it is displayed to the user. The blind transforma- 
tion function is a function of the original transformation 
function. For example, the blind transformation function 
may be a polynomial of the original transformation func- 
tion. Alternatively, both the blind transformation function 
and the original transformation function may be any mul- 
tivariate, integer coefficient affine function. 
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Description 
Copyright Notice 

s 100011 A portion ot the disclosure ol this patent document contains material which is subject to copyright protection 
The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent 
disclosure as it appears in the Patent and Trademark Office file or records, but otherwise reserves all copyright rights 
whatsoever. 

10 Related Application 1 

[0002] This application is a continuation-in-part application of application no. 09/178,529 filed October 23, 1998. 

Field of the Invention 

100031 The invention relates to document rights management, and more particularly, to a method for protecting digital 
works which employs a blind transformation to transform encrypted digital works into encrypted presentation data. 

Background of the Invention 
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■00041 One of the most important issues impeding the widespread distribution of digital documents or works via 
electronic commerce is the current lack ot protection of the intellectual property rights of content owners during the 
d SL" on and use of those digital documents or works. Efforts to resolve this problem have been termed "Intellectual 
Property Rights Management" ("IPRM"), "Digital Property Rights Management" ("DPRM"), "Intellectual Property Man- 
xmen." PPM") "Rights Management" (»RM»), "Digital Rights Management" ("DRM") and "Electronic Copynght Man- 
agement" ("ECM ). At the core of Digital Rights Management is the underlying issue of ensuring that only authorized 
ucers may perform operations on digital, documents or works that they have acquired. Once accessed, the content 
m,,*t not be distributed or used in violation of the content owner's specification of rights. 

moo 5 r A document or work, as the term is used herein, is any unit of information subject to distribution or transfer, 
nc.ud ng but not limited to correspondence, books, magazines, journals, newspapers other papers, software^ photo- 
oraohs and other images, audio and video clips, and other multimedia presentations. A document may be embodied 
S printed form on paper, as digital data on a storage medium, or in any other known manner on a variety of media. A 
1^ work as th ^erm is used herein, is any document, text, audio, multimedia or other type of work or portion thereof 
maintained in a digital form that can be replayed or rendered using a device or a software program, 
mooei in the world of printed documents, a work created by an author is usually provided to a publisher, wh ch 
loJma.s and prints numerous copies of the work. The copies are then sent by a distributor to bookstores or other reta.l 
outlets from which the copies are purchased by end users. 

m007l" While the low quality of copying and the high cost of distributing printed material have served as deterrents 
o^ne .legally copying of most printed documents, it is far too easy to copy, modify, and redistribute unprotected I elec- 
tronic documents Accordingly, some method of protecting electronic documents is necessary to make it harder to 
illegally copy them. This will serve as a deterrent to copying, even if it is still possible, tor example, to make hardcopies 
of printed documents and duplicate them the old-fashioned way. 

mooTl With printed documents, there is an additional step of digitizing the document before rt can be redistributed 
electronically this serves as a deterrent. Unfortunately, it has been widely recognized that there is no viable way to 
nrevent people trom making unauthorized distributions of electronic documents within current general-purpose com- 
DU tm Q and communications systems such as personal computers, workstations, and other devices connected over 
tocal aiea networks (LANs), intranets, and , he Internet. Many attempts to provide hardware-based solutions to prevent 
unauthorized copying have proven to be unsuccessful. 

, ooor - v , r , b8 c.ir schemer have been employed to attempt to reive In* or rumenl rroledion problem: fec.re cor, 
lamer itvMems wi.ici. reiy on crypioyrfapi..c n .ecbai.isms) ana u usito tysiemt . , 

00101 Cryptographic mechanisms encrypt (or "encipher") documents that are then distributed and stored publicly, 
and u Lately privately decrypted by authorized users. Cryptographic mechanisms provide a basic form o protection 
durintdocument delivery from a document distributor to an intended user over a public network, as well as during 
document storage on an insecure medium. Many digital rights management solutions rely on encrypting the d.g.ta 
work and distributing both the encrypted message and decryption key to the consumer's system. While different 
schemes are employed to hide the decryption key trom the consumer, the fact remains that all necessary in ormat.on 
fs available for a malicious user to defeat the protection of the digital work. Considering that current genera -purpose 
computers and consumer operating systems provide little in the way of sophisticated securrty mechanisms, the threat 



BNSDOCID" <E P n *6? 1 5A lj_ > 



EP 1 146 715 A1 



is both real and obvious. 

[0011] A "secure container" (or simply an encrypted document) offers a way to keep document contents encrypted 
until a set of authorization conditions are met and some copyright terms are honored (e.g., payment for use). After the 
various conditions and terms are verified with the document provider, the document is released to the user in clear 
5 form. Commercial products such as IBM's Cryptolopes and InterTrust's Digiboxes fall into this category. Clearly, the 
secure container approach provides a solution to protecting the document during delivery over insecure channels, but 
does not provide any mechanism to prevent legitimate users from obtaining the clear document and then using and 
redistributing it in violation of content owners' intellectual property. 

[001 2] Cryptographic mechanisms and secure containers focus on protecting the digital work as it is being transferred 
10 to the authorized user/purchaser. However, a digital work must be protected throughout its use from malicious users 
and malicious software programs. Even if a user is a trusted individual, the user's system may be susceptible to attack. 
A significant problem facing electronic commerce for digital works is ensuring that the work is protected on the target 
consumer's device. If the protection for the digital work is compromised, valuable and sensitive information is lost. To 
complicate matters, today's general-purpose computers and consumer operating systems are deficient in the areas of 
i5 security and integrity. Protecting the work throughout usage is a much more complex issue that remains largely un- 
solved. 

[0013] In the "trusted system" approach, the entire system is responsible tor preventing unauthorized use and dis- 
tribution of the document. Building a trusted system usually entails introducing new hardware such as a secure proc- 
essor, secure storage and secure rendering devices. This also requires that all software applications that run on trusted 
20 systems be certified to be trusted. While building tamper-proof trusted systems is still a real challenge to existing 
technologies, current market trends suggest that open and untrusted systems such as PC's and workstations will be 
the dominant systems used to access copyrighted documents. In this sense, existing computing environments such 
as PC s and workstations equipped with popular operating systems (e.g., Windows and UNIX) and render applications 
(e.g., Microsoft Word) are not trusted systems and cannot be made trusted without significantly altering their architec- 
ts tures. 

[0014] Accordingly, although certain trusted components can be deployed, users must continue to rely upon various 
unknown and untrusted elements and systems. On such systems, even if they are expected to be secure, unanticipated 
bugs and weaknesses are frequently found and exploited. 

[0015] Conventional symmetric and asymmetric encryption methods treat messages to be encrypted as basically 
30 binary strings. Applying conventional encryption methods to documents has some drawbacks. Documents are typically 
relatively long messages; encrypting long messages can have a significant impact on the performance of any appli- 
cation that needs to decrypt the document prior to use. More importantly, documents are formatted messages that rely 
on appropriate rendering applications to display, play, print and even edit them. Since encrypting a document generally 
destroys formatting information, most rendering applications require the document be decrypted into clear form before 
35 rendering it. Decryption prior to rendering opens the possibility of disclosing the document in the clear after the de- 
cryption step to anyone who wants to intercept it. 

[0016] There are a number of issues in rights management: authentication, authorization, accounting, payment and 
financial clearing, rights specification, rights verification, rights enforcement, and document protection. Document pro- 
tection is a particularly important issue. After a user has honored the rights of the content owner and has been permitted 
40 to perlorm a particular operation with a document (e.g., print it, view it on-screen, play the music, or execute the 
software), the document is presumably in-the-clear, or unencrypted. Simply stated, the document protection problem 
is to prevent the content owner's rights from being compromised when the document is in its most vulnerable state: 
stored, in the clear, on a machine within the user's control. 

[001 7] Even when a document is securely delivered (typically in encrypted form) from a distributor to the user, it must 
45 be rendered to a presentation data form before the user can view or otherwise manipulate the document. Accordingly, 
to achieve the highest level of protection, it is important to protect the document contents as much as possible, while 
revealing ihem to the user at a laie siage and in a lorm that is dillicull to recover into a uselul lorm. 
|00if:* In the- known appio;;.c i.'-r h electronic docurnf r» i!i: trit uiirr. that «* -.v,r M f-nciyptior., an encrypted document 
is rendered in several separaie steps. First, the encrypted document is received by the user. Second, the user employs 
so his private key (in a public key cryptosystem) to decrypt the data and derive the document's clear content. Finally, the 
clear content is then passed on to a rendering application, which translates the computer-readable document into the 
finished document, either for viewing on the user's computer screen or for printing a hardcopy. The clear content is 
required for rendering because, in most cases, the rendering application is a third-party product (such as Microsoft 
Word or Adobe Acrobat Reader) that requires the input document to be in a specific format. It should be appreciated, 
55 then, that between the second and third steps, the previously protected document is vulnerable. It has been decrypted, 
but is still stored in clear electronic form on the user's computer. If the user is careless or is otherwise motivated to 
minimize fees, the document may be easily redistributed without acquiring the necessary permissions from the content 
owner. 
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by limiting use of the digital work to a ^^^^^ 0 phy s cal device the user intends to use to render 
private information or system state mformation ^J*V^JJJ2S configuration information suoh as system 
the digital work. System state informat.or ns ^ » etc . ln tnese techniques, the digital 

parameters, CPU identifier, dev.ce '^^"■^'^I'JJ rather than using the user's encryption key, is encrypted 
content is encrypted using a sess.on W™J£^££^ credentials. Then both the encrypted conten 
using a combination of the system or state reC eived encrypted work, the user must contact 

and key •«t«^^»^^ , "^^°3^pSSn) which verifies the user's identity and ore- 
a trusted authorizing entity (usually a ^ ^ d » a 9 nd fin ' ally deC rypts the content for use. 
dentials, then together with system ^e A crobat reader and the secure Microsoft Med.aP layer 

[0020] Commercial appl.cat.ons such a k S ^ e a 3 s e e ^ e ^ ortne appr0 priate user credentials and usage nghts. 
validate usage of the digital work by ^^^T^^Z CPU identifier or certain device serial numbers. 
Am ong the user credentials are system ^^^^S!^ verifies if ,he ^ ' S PreS6nt ' 

themselves are particularly susceptible to the * rea \ oi 0Dergte by allowing the rendering application to 

002D The Acrobat Reader and ^' aPla ^ D ^ 

Identify required devices on ^T'^^S^O. is * us,ed and th6 U8art """T* 

a lev e, of protection ^^^^^^^ is that it is based on the assumption that ne.ther 
device is not susceptible to attack). I he wea VO ucher will be compromised. 

, he protection of the cryptographic key nor the ,ntegr,t of the I „ technique , ,„ that once the 
0022] These techniques are really more of ^^^^ZL or "cense voucher received, the content 
user's identity and credentia. information, ^ m ^^^^ % digi1a , work is aflorded no protection through- 
is decrypted to its clear state and then becomes vulnerable to attack. 1 1 he 9 ^ suf|jcjenl| oeterred 

oufusag'e. Further, the user informat^ 

trom passing along his/her persona, .nformat.on. I oth « r "°'*' Dr ° V aVe identity and credential information, 
must be severe consequences for users who would reveal ^the.r pnvate .dentrty ^ user 

^0023] A significant drawback to the schemes wh.ch ^^^ZSon) which raises a concern regarding 
o divulge sensitive information (e.g., CPU number or o^r perso >n he/she does not wish l0 

privacy issues. While the user divulges t e .ntorm f^TvlZ be d irab.e to" provide a protection scheme that 

distlted a9 documen« during the decryption and rendering processes. 
Summary of the Invention 

[0025] A seil-protecting document ("SPO"), ^^^^^l^^^ 
ages of the prior art. By combining an encrypted document wrth a set £ pe ^ se , f . pr0 , ec1ing document 

th at incudes most o, the software necessary o exuact and us e and sotmare . 
accomplishes protection ol documen, contents wrthoul ^ZVaZ^o q o,s to the author and the publisher ol the 
,0026] The SPD system is broken down t ^'^^ r ^ L c,i,in,, Cerumen, and decider whr, 

— ~:;:o"= — «- - - — — ensunn9 v,a ,hfc 

10027] At the user's system, the seli-protectmg document « ««W use of the spD need not re |y 

of the invention, various rendering facilities are ■J^^J^^ unauthorized use). In an alternative em- 
upon externa, — ^ £ --ring application to interact with the SPO to 
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provide trusted rendering. pnrrv nted document is decrypted by the user's sysiem while simul- 
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may be cryptograph bally less secure than the encryption used for distribution, but serves to deter casual copying. In 
this embodiment, depolarization is performed during or after the rendering process, so as to cause any intermediate 
form of the document to be essentially unusable. 

[0029] In another embodiment of the invention, a method of protecting a digital work uses a blind transformation 

5 function to transform an encrypted digital work into encrypted presentation data. The originator's digital content is 
protected in its original form by not being decrypted. This method enables the rendering or replay application to process 
the encrypted document into encrypted presentation data without decrypting it first. Encrypted presentation data is 
then decrypted just before it is displayed to the user. This method improves the overall performance of the process 
(both decryption and rendering) by minimizing the decryption overhead (since pre-rendering decryption is generally 

io more time and resource consuming) and postponing the decryption to a late stage of the rendering process. 

[0030] Blind transformation or blind computing can be accomplished in one of several ways. Most digital works include 
formatting information, which when encrypted cannot be processed by the replay or rendering application (the trans- 
formation function which transforms a digital work into presentation data). If the digital work is encrypted with a format 
preserving encryption scheme, any transformation function may be used. This is particularly useful in that any com- 

15 mercial replay or rendering application can process the encrypted digital work into encrypted presentation data. Oth- 
erwise the blind transformation lunction is a function of the original transformation function. For example, the blind 
transformation function may be a polynomial of the original transformation function. Alternatively, both the blind trans- 
formation function and the original transformation function may be any multivariate, integer coefficient aff ine function. 
[0031] Not all encryption schemes are format preserving encryption schemes. Additive encryption schemes may be 

20 used with all document types and all associated transformation functions. In some replay or render applications, for 
some types of documents, portions of the format information may be left in the clear. In other types of documents all 
of the format information may be encrypted. In some types of documents, an additive encryption scheme may be used 
to encrypt the format information and any encryption scheme may be used to encrypt the content or data portion of 
the document. 

25 [0032] In particular, additive encryption schemes can be used to encrypt coordinate information of documents so 
that some rendering transformations can be performed on the encrypted coordinate data. In a special class of docu- 
ments, token-based documents, for example, there are two places during the format-preserving encryption that use 
encryption schemes: one is for coordinate or location information x and y of the particular tokens within the document, 
and the other is for the dictionary of individual token images. In order to perform blind transformation on the individual 

30 coordinates of the particular tokens in the document, the first encryption scheme must be an additive encryption 
scheme. However, the token dictionary may be encrypted with any encryption scheme. 

[0033] An encrypted token dictionary may still leak information such as the sizes of the token images. If this is a 
concern (such as if the token dictionary is small), the tokens can be padded with some extra bits before encryption. 
The padding can result in encrypted token images of a same size or several fixed sizes. For a token-based document, 

35 the coordinate information of the tokens in the dictionary may not be encoded. If it is desired that coordinate information 
be encoded, say, as Huffman codewords, the same approach that is used to encrypt the identifiers can be used to deal 
with this situation. Basically, the codewords in location tables are left in the clear and the codewords in the codeword 
dictionary are hashed using some one-way hash function and their corresponding coordinate information is encrypted. 
During rendering the codewords in the location tables are first hashed and then used to lookup their encrypted coor- 

40 dinate information. 

[0034] In another embodiment of the invention, a digital work and a system context (or resource information or system 
resource) are polarized enabling trusted rendering or replay of the digital work without depolarization of the digital 
content. In this embodiment, the digital work is of the type which includes digital content and resource information. 
Resource information may include information used by a replay application to format or process the digital work into 

45 presentation data. Resource information may include, for example, a collection of system resources available to the 
replay software on a panicular system, such as the Font Table, Color Palette, System Coordinates and Volume Setting. 
|0035) Different types ol digital works may be polarized. In addition io polarizing typical document lype digital works : 

,. uf ,„ vic.c,c- dicito won:: hf P< imcm'. "l die*;:: wor, s.i.c r yr •„ nk- - anally p^.n:.ff U ?, mer.i 

lecturer or content owner's location using a polarization engine. A polarization engine is a component used to transform 

so the digital work and system context to their respective polarized forms. The polarization engine employs a polarization 
scheme which relies on some polarization seed, an element used to initialize and customize the polarization engine. 
[0036] Various polarization schemes may be used to polarize a digital work. For example, a stateless polarization 
employs a random number as a seed to transform a digital work into a polarized digital work. A state-based polarization 
scheme employs a seed based on a system state or characteristic of a system to transform a digital work into a polarized 

55 digital work that is associated with that system state or characteristic. A dynamic state-based polarization scheme 
employs a seed based on a dynamic system state or characteristic to transform a digital work into a polarized digital 
work. In this embodiment, the polarized digital work will typically be provided with a polarization engine for repolarizing 
the encoded digital work and the encoded system context according to the dynamic state-based polarization scheme 
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. a the evRt - m reaues ts reDlav ol the digital work. An authorization-based polarization scheme employs a seed 
Tas on 2ZS,ZSSfflih«d from a trusted source to transform a digits, wo* into a po.anzec digital 
wo" For ^security, the polarized system context can be stored ^f^Z^T " 

ki« ^movi rim/ice which must be coupled to the system prior to use of the digital work. 
r 3 7 V , VeiTa^Vo poZT^ contains information which can be used to tie the particu.ar digita. work to 
hfu' mat end usl or an ultimate end user system. Typically the owner or distributorwill select the type of po anzat on 
schemTS be used in polarizing the digital work and the type of po.arization key to use depending on the value of the 
h ?ni, fl Tw 0 ?k ^encryption schemes polarization schemes come in different levels of complexity and strength. When 
digital work. Like encryption scne , P resource information, called the system context, is 

mS* ^l^:^^Zt^^ work and the system context are polarized. A different 
SarizatbnTcheme may be used for the system context than is used for the digital work. However the po.anza ion 
seed Ms the i sameTor both. The polarized digita. work and polarized system context are then prov.ded to the user for 

1 ITr^nZ ToTesentation data must be decrypted into clear presentation data. In this embodiment ol the mven- 
ttn the^ Po'arized resource information to transform a po.ar.ed digita. work into clear 

ZlTTo^L digita. content of a digita, work is polarized, leaving the resource information unpolar.zed or in the 
SS! the reo tav application will be able to process the polarized digital work into polanzed presentation data. This 
means a ^deplrizer mu^depoiarize the presentation data into clear presentation data suitable for viewing or use by 
Z use fa poZ o7a digital work's resource information is also polarized accordingly, when the replay appl^on 
.he oolarized digital work the replay application uses the polarized system resource .nformation to transform 
presentation data. All or just a portion of the required resource information may be 
poized Th replay is blind in thaUhe replay application does not see the original, unpolarized d.grta contend 
mnlm in thts embodiment a polarized digital work is transtormed by the replay applicat.on using a polanzed system 
1 t I .^l^io^Zn) recreate clear presentation data; the replay application can be any commercial orth.rd 
context 1'**™™^°™^™°™ need L be cus ,omized to depolarize the presentation data and no depolarizer 
^^™7r^7^S^*« operates as a blind replay system (it processes polarized digital content 
9 'Slfll resources) and relies on a type of polarization which transforms or encodes the digital work 
suc^tS T S to rX^sing^ software p^ram or device is tied to a specific resource information, thus 

Z\T ^T^T^T^o, encryption to protect the digita, work and eventually decrypt the ^ 
[0041] uni Ke sysi h Dr0 vided to the replay application, the blind replay system keeps the digital 

in, T ^XS!^^^^^ 0"°^ «S in the b,ind rep,y) until the ,ast possib,e m T nx 

work encoded .n ' 1ne P°'^"™ ,0 ™ J ^ m th P e polanzed digita | WO rk itself is never depolarized in the clear. Since 

in its clear lorm it cannot be easily (if at all) transformed back into the original digital work. ^.simd 
00421 Cny dmerent types of digital works and their resource information may be polarized and replayed ,n a b nd 
epiS svstm Sal JL such as documents, text, audio files, graphics files and video hies may be replayed in the 
blind replay system of the invention by polarization of an appropriate resource information. 

Brief Description of the Drawings 

[0043] The structure and function o. the invention is best understood with reference to the included drawings, which 
45 may be described as follows: 

FIGURE 1 is a top-level biock d.agram representing a model «or the c-ea.ion and commercial distribution ol e.ec- 
ironic documenis in either secure or insecure environments; 
^ " ,lo,. dinorm. ilUiruruinc the decyntir r. < - r ,nr-r,,d e,,,u,r,ir d,r„ments according to the 6 n 
P,GURE b is a now d.agran, i.iustiat.ng the oecryption o, protectee e.ectronic oocuments according to c s,mp,e 

ITooT^sZ' SI illustrating the decryption of protected e,ec,ronic documents according a preferred 

T^T^ZZ^Z:. diagram illustrating the data structures present in a setf-protecting document ac- 

" - customization 1 - self-protecting document according to 

F^gTiF^ E 7 'f low dtagr^m.'from a user's perspective, illustrating the actions performed in hand.ing and using a 
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self-protecting document according to the invention; 

FIGURE 8 is a graph illustrating several possible paths between an unrendered and encrypted document, and 
rendered and decrypted presentation data; 

FIGURE 9 is a flow diagram illustrating a polarization process according to the invention in which document format 
5 information remains in the clear for rendering. i 

FIGURE lO.is a block diagram of a method of format preserving encryption and trusted rendering according to the 

invention; 

FIGURE 11 is a simple example of a document to be tokenized; 
FIGURE 12 is the token dictionary for the document of Fig. 11 ; 
10 FIGURE 13 is the location table for the document of Fig. 11; 

FIGURE 14 is a block diagram illustrating a process for generating a polarized digital work and polarized system 
resource according to the invention; 

FIGURE 15 is a block diagram illustrating the conversion of a digital work into image data according to the art; 
FIGURE 16 is a block diagram illustrating a system for blind replay of a polarized digital work according to the 
15 invention; 

FIGURE 17 is a block diagram illustrating another system of blind replay ot a polarized digital work according to 
the invention; 

FIGURE 18 is a block diagram of an example structure of a digital document; 
FIGURE 19 is an example digital document; 
20 FIGURE 20 is an example of the digital document of Fig. 16 after it has been polarized; 

FIGURE 21 is block diagram of an example structure of a resource information or system context for a digital 
document; 

FIGURE 22 is a block diagram of an example font table: and 

FIGURE 23 is block diagram of the font table of Fig. 22 after it has been polarized. 

25 

Detailed Description of the Preferred Embodiments 

[0044] The invention is described below, with reference to detailed illustrative embodiments. It will be apparent that 
the invention can be embodied in a wide variety of forms, some of which may be quite different from those of the 
30 disclosed embodiments. Consequently, the specific structural and functional details disclosed herein are merely rep- 
resentative and do not limit the scope of the invention. 

[0045] Figure 1 represents a top-level functional model for a system for the electronic distribution of documents, 
which as defined above, may include correspondence, books, magazines, journals, newspapers, other papers, soft- 
ware, audio and video clips, and other multimedia presentations. 

35 [0046] An author (or publisher) 110 creates a document's original content 112 and passes it to a distributor 114 for 
distribution. Although it is contemplatedthat the author may also distribute documents directly, without involving another 
party as a distributor, the division of labor set forth in Figure 1 is more efficient, as it allows the author/publisher 1 1 0 to 
concentrate on content creation, and not the mechanical and mundane functions taken over by the distributor 114. 
Moreover, such a breakdown would allow the distributor 1 14 to realize economies of scale by associating with a number 

40 of authors and publishers (including the illustrated author/publisher 110). 

[0047] The distributor 114 then passes modified content 116 to a user 118. In a typical electronic distribution model, 
the modified content 116 represents an encrypted version of the original content 112; the distributor 114 encrypts the 
original content 112 with the user 118's public key, and modified content 116 is customized solely tor the single user 
1 1 8. The user 1 1 8 is then able to use his private key to decrypt the modified content 1 1 6 and view the original content 

45 112. 

[0048] A payment 1 20 for the content 1 1 2 is passed from the user 1 1 8 10 the disuibuior n 4 by way of a clearinghouse 
122. The clearinghouse 122 collects requests Worn the user 116 and I rem other users who wish to view a particular 
Df.i.ui.iM..."ii.f c;ii,anr.pl.i»UM 'it- 1 un r.olii-n: r .v-t.-.i- nl iniwnviUu-i • - f- frf-ium: • rrr-rHi r?..rf tif.r.5 f.« • 

tions. or other known electronic payment schemes, and torwards the collecieo users' payments as a payment batch 

50 1 24 to the distributor 1 1 4. Of course, it is expected that the clearinghouse 1 22 will retain a share of the user's payment 
120. In turn, the distributor 114 retains a portion of the payment batch 124 and torwards a payment 126 (including 
royalties) to the author and publisher 110. In one embodiment of this scheme, the distributor 114 awaits a bundle of 
user requests lor a single document before sending anything out. When this is done, a single document with modified 
content 116 can be generated for decryption by all of the requesting users. This technique is well-known in the art. 

55 [0049] In the meantime, each time the user 118 requests (or uses) a document, an accounting message 128 is sent 
to an audit server 130. The audit server 130 ensures that each request by the user 118 matches with a document sent 
by the distributor 114; accounting information 131 is received by the audit server 130 directly from the distributor 114. 
Any inconsistencies are transmitted via a report 132 to the clearinghouse 122, which can then adjust the payment 
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in oh.roes that vary, depending on tne duration or other e "«™ »' in Figure 1 . is in eomtrton oa. today. As 

document distributee are shown. Aa *«» s6ed *„7*.X„| sl „, ea pob |i cl y and deciphered priyately by .uthonaed 
^SZXSZ b a EST o^^^ «n^i«-, » a ddOupnen, to en intended 

r00521 At the outset, an encrypted document 21 0 is rece.vec i oy ine ioca ^ {he 

beli:^^^^ 

K a hdtdddpy, dt ,d, other uee depends on the 

document type. sterns like this The clear content 216 can be copied, 

[0054] As discussed above, the document ,s vulnerable distributor n14 or the author/publisher 
Lred, or passed along to other users without lhekn ™'^ by cap uring the document in the clear in 

110. Even a legitimate user may be tempted to m.n.m.ze the \ cens 3^ * c J lhe c 9 ontent owners . As discu ssed 

reTe^—n ^^^^l^^ ^ - — * — ^ - ^ 

^^^^^^ 

encrypted documents at ^ useMlB, . system. A -^^J^Sl s" is passed to a decryption step 312 
[0056] Figure 3 looks similar to Figure 2 in that M rpsuttina in presentation data 318. However, an addi- 

which uses a private key 31 4) and a rendenng appeal on £ 6, resutt ng n p rese ^ q ^ ^ 

ional layer ot protection is provided by a protecting shell 320 The Protecting sne avaBable to be 

deSpte'd and rendered without ever .eaving clear <™^^*Z£^*£ document 310, as will be 
intercepted. This is accomplished by '^^^^2^^^ < s are adap,6d ,0 M 

SS^T^^ as savin9 the " or periomin9 cu, " and " 

paste operations) according to the user's P erm ' ss !°^ , R 4 jncludes an intermediate -polarization" step 

[0057] Figure 4 is a more s0 P hlst ' ca, ^»^ e I is rendered. First, the encrypted document 

adapted to secure the document after « "as been d ~^ ed ^ f ^J, e use , s private k ey 414 and, via a decryption 

SEST Tntp^rization key 413 is used ^e polarizer 41 2 to trans^ 

contents 420. All ol these operations can P^J^ J^'^ng « and polarizing it. 
the polarizer 41 2 does not store a dear ^^^^^JIJJ - combination ot data elements taken 
[0059] in one embodiment of the .nvention, the polarization key^ne P keystroke, the 

Lmthe user's system's interna, state, such as , ^he date a ^ ^'^J^ ^^ab ^erived from the user^s system, 
processor's speed and serial number, and any othe^ so that interception and seizure of 

™ ^ — — - —* ■ as ihe 

cation 424. As discussed above, typical rendenng ^ mX,m '^^^^n B will not be able to process the 
Adobe Acrobat Reader. However, it is likely that such externa, ^ J nave been 

polarized contents 420, as the contents, any formatting codes, and other cues by 

scrambled in the polarization'process. „ ftmmilfat h,e (or at least fault-tolerant), or it must receive po- 

• Eo^s™^ 

££j %r r^oT^derind appKatipn * poi.tized pteaentatidn data P26. »hioh h,e been torm.ned by the 
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rendering application 424 but is still polarized, and hence not readable by the user. The polarized presentation data 
426 is passed to a depolarizer 428, which receives the polarization key 418 and restores the original form of the 
document as presentation data 430. In one embodiment of the invention, the depolarization function is combined with 
the rendering or display function. In this case, the polarized presentation data 426 is received directly by a display 

5 device which can be separate from the user's system and receive data over a communications channel. 

[0063]' Creation of the polarization key 418, the rendering application 418, and the depolarization step 428 are all 
elements of the protecting shell 422; these are tamperresistant program elements. It is contemplated that all compu- 
tational (or transformation) steps that occur within the protecting shell 422 will use local data only, and will not store 
temporary data to any globally accessible storage medium or memory area; only the explicit results will be exported 

1 o from the protecting shell 422. This approach will prevent users from easily modifying operating system entry points or 
scavenging system resources so as to intercept and utilize intermediate data. 

[0064] It should be noted that the presentation data 430 of Figure 4, in alternative embodiments of the invention, can 
be either device independent or device dependent. In the device-independent case, additional processing by a device 
driver (such as a display driver or a printer driver) typically is necessary to complete the rendering process. In the 
13 presently preferred device-dependent case, the device-specific modifications to the presentation data have already 
been made (either in the rendering application 424 or the depolarizing step 428), and the presentation data 430 can 
be sent directly to the desired output device. 

[0065] The decryption schemes described with relerence to Figures 3 and 4 above are enabled by a unique document 
structure which is shown in detail in Figure 5. As discussed above, certain operations performed by the system and 
20 method of the invention require trusted components. One way to ensure that certain unmodified code is being used to 
perjorm the trust ed aspects of the invention is to provide the code along with the documents. The various components 
of a self-protecting document according to the invention are illustrated in Figure 5. 

[0066] The problem of document protection is approached by the invention without any assumptions on the presence 
of trusted hardware units or software modules in the user's system. This is accomplished by enhancing a document 

25 to be an active meta-document object. Content owners (i.e., authors or publishers) attach rights to a document that 
specify the types of uses, the necessary authorizations and the associated fees : and a software module that enforces 
the perrniscions granted to the user. This combination of the document, the associated rights, and the attached software 
modules that enforce the rights is the selt-protecting document ("SPD") of the invention. A self-protecting document 
prevents the unauthorized and uncontrolled use and distribution of the document, thereby protecting the rights of the 

30 content owners. 

[0067] The self-protecting document 510 includes three major functional segments: an executable code segment 
51 2 contains certain portions of executable code necessary to enable the user to use the encrypted document; a rights 
and permissions segment 514 contains data structures representative of the various levels of access that are to be 
permitted to various users; and a content segment 516 includes the encrypted content 116 (Figure 1) sought to be 
35 viewed by the user. 

[0068] In a preferred embodiment of the invention, the content segment 51 6 of the SPD 51 0 includes three subsec- 
tions document meta-information 51 8 (including but not limited to the document's title, format, and revision date), rights 
label information 520 (such as a copyright notice attached to the text, as well as rights and permissions information), 
and the protected content 520 (the encrypted document itself). 

40 [0069] In one embodiment of the invention, the rights and permissions segment 514 includes information on each 
authorized user's specific rights. A list of terms and conditions may be attached to each usage right. For example, user 
John Doe may be given the right to view a particular document and to print it twice, at a cost of $10. In this case, the 
rights and permissions segment 514 identities John Doe, associates two rights with him (a viewing right and a printing 
right), and specifies terms and conditions including the price ($10) and a limitation on printing (twice). The rights and 

45 permissions segment 514 may also include information on other users. 

[0070] in an aiiernative embodiment, the righis and permissions segment 514 includes only a link to external inlor- 
malion specilvinc- righis inlormalion. In such a case, the aciual rights and permissions are stoted elsewhere, lor example 
, l 6-iwori:feu|*rTT.it!ii i.ter^-.. whirl. , i.iic ri*c. t.--*h lim*. the- c, .. ■ ;. ... *r\1 1'.ii epp"*™ P»"virif- S 

the advantage that righis and permissions may be updated dynamically by the coniem owners. For example, me price 

50 for a view may be increased, or a user's rights may be terminated if unauthorized use has been detected. 

[0071] In either scenario, the rights and permissions segment 514 is cryptographically signed (by methods known 
in the art) to prevent tampering with the specified rights and permissions; it may also be encrypted to prevent the user 
from directly viewing the rights and permissions of himself and others. 

[0072] The executable code segment 512, also called the "SPD Control," also contains several subsections : each 
55 of which comprises a software module at least partially within the executable code segment. In one embodiment of 
the invention the Java programming language is used for the SPD Control; however, it is contemplated that any plat- 
form-independent or platform-specific language, either interpreted or compiled, can be used in an implementat.on of 
this invention. 
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I0 0 73] A rights enforcer 524 is present to verify the ^^ZZ^ZZ 

L and polarize the data according to the system state ^^JJ^^oSrt before it is stored or decrypted, so 
embodiment of the invention the po.anza . on eng ,e ^c - P on the do^ ^ , & ^ j£ R fe 

the document is never stored in the clear on the i ""^ syewm e ^ rs ;. engineering> and disassembling, 
cryptographically signed and ^^^^^^^^^^ generatipn of dear presentation data 
[0075] A counterpart depolarization eng.ne 528 is also "cIwmk mo . a a providing 

rem the polarized content (see Figure 4). The ^S^^J^M^Z user's system. The secure 
a re.a.ively tamper-proof interlace to the rendering ^^^2^ ^ the document , in its clear form, 
window objects are resistant to being ^^^^^^^^ operating system, 
can be reconstructed by intercepting generation of clear presentation data 

roo76] A counterpart depo.anzat.on eng, ne 5 B is a ° ^ J 8 a relatively ta mper-proof interlace 

,rom the polarized content (see ^ure 4). The depola ™«™ en £^ ^ t0 the aepola nzation engine 528 is 

« ^ -1 — a - ° f ^ C ' ear COmem Whh0Ut 
further depolarization which depends on, fo, example, the user's system i«ale. ^ js 

0077] A secure viewer 530 is optionally included .n and permissions segment 514. 

Led to permit only those .evels of ^^•^^^^Z^^ — or print the viewer wil, 

^Finally, a rendering engine 532 is included or ^"Ts^Z^^ 
daring engine 532 need not be secure. ^^^^^J^L. fn ether case, the rendering engine 

30 ^079] The foregoing aspects and e.ements of the self-protecting document 610 w» be discussed in further detail 

: - ™ ,ed) ,orm; a hi9Mevel ri9hts 

specification 614; and an optional ^ennark ; 6 i16. documen i as desired by the author or publisher. 

[0081] The content 612 ,s pre-processed (step 61 8) toayoui essentialry "pre-ren- 

For example, a preferred page size, font and page^ ^ out may bese etfeo. The ^ users> systems th> 

dered" in the content pre-processing step so that rt w. be in a '°™ a Acrobat ( . >PDP) , orm at 

SPD. For example, the content 612 may be converted '™^^f e ™ ( ^ (Fi g Ure 5 ). In one embodiment of the 
to a different format specially adapted to be read by ^/^^ step and stored in the 

invention, muKiple versions of the content 6 2 are gene ^» «J^S3 5 the user according to his needs, 
generic SPD 610; those different versions may then be . sepanrt * are ennl8Slble . Such a 

[0082] The high-level rights specitication 61 4 sets ™*^ a ^"^** mer J x gr0 ups of rightsfor different 

limitations are describee with reference to a detailed example, wh . ^ ^ ^ ^ ^ ^ ^ ^.^ ^ „ 

,U.i.:-. Dipnoi Hopeny hu-.,.: ■ Ini'^'can be specified and enforced tor rights. Rights speci- 

provides a mechanism ,n which Z tr example. U.S. Patent No. 5,715,403 to StefiK, 

fications are represented as statements n DPRL. For de.a Is -ee w P ^ ys R . ghts where the 

specification, different sets o, rights app.icab, , to 1 ^£^%TZ o condLns' Conditions can be of 
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can be performed, and so on. DPRL allows different categories of rights: transfer, render rights, derivative work rights, 
file management rights and configuration rights. Transport rights govern the movement of a work from one repository 
to another. Render rights govern the printing and display of a work, or more generally, the transmission of a work 
through a transducer to an external medium (this includes the "export 0 right, which can be, used to make copies in the 
clear). Derivative work rights govern the reuse of a work in creating new works. File management rights govern making 
and restoring backup copies. Finally, configuration rights refer to the installation of software in repositories. 
An exemplary work specification in DPRL is set forth below: 

(Work: 

(Rights-Language- Version: 1.02) 
(Work-ID: "1SDN-1 -55860-1 66-X; AAP-2348957tut") 
is (Description: 'Title: 'Zuke-Zack, the Moby Dog Story' 

Author 'John Beagle' 
Copyright 1994 Jones Publishing") 
(Owner (Certificate: 

(Authority: 4 "Library of Congress") 
(ID: "Murphy Publishers"))) 
(Parts: "Photo-Celebshots-Dogs-23487gfj" 4 *Dog-Breeds-Chart-AKCT) 
(Comment: "Rights edited by Pete Jones, June 1996.") 
(Contents: (From: 1) (To: 16636)) 
(Rights-Group: "Regular" 

(Comment: 'This set of rights is used for standard retail editions.") 
35 (Bundle: 

(Time: (Until: 1998/01/01 0:01)) 

(Fee: (To: "Jones-PBLSH-18546789"XHouse: "Visa"))) 

(Play: 

(Fee: (Metered: (Rate: 1.00 USD) (Per 1:0:0) (By: 0:0:1)))) 

(Print: 

(Fee: (Per-Use: 10.00 USD)) 

(Yrium 

(Certificate: 

(Authority: "DPT- 

(Type: *TrustedPrinter-6"))) 

5 5 (Watermark: 
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(Watermark-Str. 'Title: *Zeke Zack - the Moby Dog' Copyright 
1994 by Zeke Jones. All Rights Reserved.") 
(Watermark-Tokens: user-id institution-location render-name 
render-time)))) 

10 (Transfer.) • , 

(Copy: (Fee: (Per-Use: 10.00 USD))) 

(Copy. (Access: 
i5 (User (Certificate: 

(Authority. "Murphy Publishers") 

(Type: "Distributor"))))) 
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(Delete:) 
(Backup:) 

(Restore: (Fee: (Per-Use: 5.00 USD))))) 



a chart of breeds incorporated from o.her~ ; A ^J^XlvZ are valid until January 1 . 1998 and 
apply to all rights in the group. Th,s ^SSsTflS clearing house for this transaction should be 

that the fee should be pa.d to account Jones -PBLSH-1 8546788 . The , c lea g accumulated by 

Visa. The following coniract applies: the work can be played b> r pay -ing $1 .00. eyen/ n 

the second; the work can be printed on TrustedPnn,er-6 which " ^^^^^S inform^ known 
printed copy should have a watermark str.ng (as deputed) ™^ t «*£™W"W«B 9 P Uom 
at the time it is printed; this work can be copied e.ther by ' ^* f^Sed (restoration costs $5.00). 

Murphy publishing; and unrestricted transfer de.et.on or backing up o trus work * J™« < h 

5S5T The generic SPO .10 is then created (step f ) = ^ 

9e" StO may also optionally be encnypted by the 
author/publisher ttOlor transmission to the distributor IV I (Figure 1) cust0 mization. When a 

„Mh. SPD 632 A puMe-Wy .noyptlon ^ , ^.rJbMM. 



can be used to decrypt it. 
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[0090] The resulting custom SPD 632 is then transmitted to the user 118 by any available means, such as via a 
computer network or stored on a physical medium (such as a magnetic or optical disk). 

[0091] The operations performed when a user receives an SPD are depicted in the flow diagram of Figure 7. The 
SPD is first received and stored at the user's system (step 710); in many cases, it is not, necessary to use the SPD 
right away. When usage is desired, the user is first authenticated (step 71 2), typically with a user name and a password 
or key. The system then determines what action is desired by the user (step 71 4). When an action is chosen, the rights- 
enforcement step of the invention (step 716) verifies the conditions associated with the desired action (such as the 
fee, time, level of access, watermark, or other conditions); this can be performed locally via the SPD applet 51 2 (Figure 
5) or by accessing a rights enforcement server. 

[0092] If the rights enforcement step (step 716) fails, an update procedure (step 718) is undertaken. The user may 
choose to update his permissions, for example by authorizing additional fees. After the satisfactory verification of con- 
ditions, a pre-audit procedure (step 718) is performed, in which the SPD system logs verification status to a tracking 
service (e.g., the audit server 130 of Figure 1). The content is then securely rendered to the screen (step 722) as 
discussed above. When the user is finished, a post-audit procedure (step 724) is performed in which the amount of 
13 usage is updated with the tracking service. The SPD system then awaits further action. 

[0093] The protection yielded by the SPD is derived Irom the user's inability to capture a useful form of the document 
at any intermediate stage during the rendering process. This is accomplished by decrypting the document contents to 
a clear form at the latest possible stage, ideally in the last step. 

[0094] The SPD decryption model is illustrated in Figure 8. E denotes the encryption-function performed by the 
20 publisher, D denotes the decryption performed at the user's system, and R denotes the rendering transformation. Many 
prior systems use a first sequence of transformations 810, D(E(x)) followed by R(D(E(x))). As stated previously, the 
early decryption leaves the document in a vulnerable state. Ideally, the transformations are performed in the reverse 
order 812, R'(E(x)) followed by D(R'(E(x))). This postpones decryption to the latest possible time. 
[0095] The existence of R\ a rendering operation that can be performed before decryption, is determined by the 
2S following equality: 

D(R'(E(x)))= R(D(E(x))) 

30 In case that the encryption and decryption functions are commutative, that is. E(D(x)) = D(E(x)) for any x, the existence 
of R' is ensured: 



R" (y)= E(R(D(y))) fory=E(x) 

35 

In practice, encryption and decryption functions in popular public-key cryptographic systems such as the RSA system 
and EIGamal discrete logarithm system satisfy the commutation requirement. This means that the transformation R' 
exists if these cryptographic systems are used for encryption and decryption. 

[0096] The path x* = D(R*(E(x))) portrays an ideal SPD solution to the document protection against unauthorized 
40 document usage and distribution. A scenario of distributing and using a document can be described as follows. When 
a user purchases the document, the document is encrypted using a user's public information and is transmitted over 
an insecure network channel such as the Internet. The encrypted document has the rights information attached to it 
and a protecting applet 512 that enlorces the rights and permissions granted to the user by the content owner. Upon 
a user's request on using the document, the applet verifies the rights and permissions and generates from the encrypted 
45 document the presentation format of the original document. As any intermediate form ot the document before the final 
presentation daia is encrypted with the user's private inlormalion : the SPD model ol document protection ensures thai 
any imermediate torm ol the document is not uselul to other systems wherever it is intercepted. 
|0U£7j Cieany, tm< iar.;..; rv.coH reiie: or. wheinr-i l: nt-. si,.- iran? iornv.iii'i. i iru-i corresponds to the rendering, 
transformation R can be commuted efficiently, and in particular on whether or not an invocation ol the decryption function 
so D is necessary during an implementation of R'. A trivial case in which R' can be implemented efficiently is where R is 
commutative with the encryption function E. When this happens, 



55 



R'(y) = E(R(D(y))) = R(E(D(y))) = R(y) 

for y = E(x). In this case, R' = R. 
[0098] Consideration of Figure 8 reveals that many intermediate solutions (e.g., intermediate solutions 814, 816, 
and 818) to the document protection problem may exist on the user's system between the two extremes x' = R(D(E 
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, ,. n ,p, y « and x- _ D(R'(E(x»), which has ideal protection (under the assumptions 

(x))), which has no protection on x = D(E(x)), and x - u WW. encrypted document E(x) to the 

U forth above). As depicted in Figure 8. one may con „ d . J^jj^™ JJ^^^d.^ 

* «* pa,h increases the pro,ection 
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polarization technique that encrypts only the document it should be noted, does 

This possibility is shown in Figure 9. Beg.nn.ng with the clear document content 9U i 
not exist in any single identmab.e location ^ 

step 412 of Figure 4), the document ,s spl step 1 2] into a data pwt«n8 J c|egr ^ ^ Q ^ 

914 is polarized (st * «»J5£f £ can be^enderfd o poTarlzed presentation data without first decrypting the 

[0100] A method of protecting a digital work ^^J^.'^i^^t^ 1012 ' Di 9 ital 

with reference to Figure enab.es app.ication 1012 to 

work 1010 has been encrypted wrth a format preserving ^ decryption engine 1018 

generate encrypted presentation data h now in the dear, 22 -ess likely to be 

where it is decrypted into clear presentat.cn data 1 020 k P™«J™'""^ * or used direct , y by the user, then no 

to display device 1026. ^oii™ nan hp stated as follows. Suppose a client Cathy 

[0101] in a general context, the problem of bhnd private) data a and her private data 

wants a server Steve to compute Steve knowing her private data x 

x, and Cathy wishes, for privacy concerns, that th e t ra ns10 ™ a " on CO mpuies F(a,x) for Cathy but with his 

and the function value F(a,x). From Steve's pent of view th ^transformation only with 
eyes blindfolded. What this means is that Cathy ^"^^^^^g^ encrypted us,ng her key 
data E k (x) encrypted using Cathy's key k, ^"j^^^^^a disclosing the data x in the 

^^Z"^:^ mode^r irsformaL with partially enc.pted data is shown 
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below: 



(a,x)— £-Ka,£(*)) 

Fl ir 

ir- «,h Q i qipwp rpallv comDUtes, and the transformation result F'(a s E k 
(x)) - ticina.xjj i&> icauy /r rflr ries out a "blind" transformation for Cathy. 

(i) Cathy encrypts > usmp her enciyption key k. resuliing t r (x). 
,0,03, 

and instance hiding. Blind hanaton™.!,™ now M ^"^'^~^^J, um ,^ c By computing P Inae.d 
,h. ..notion P the, me sen,., «*« to p. and hence ia coop.,*. with 

^rrrp=^ 
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that the server computes private to the client, but they differ in that the client supplies the data input and the server 
supplies (a program that evaluates) the function in blind transformation, while it is the other way around in secure 
mobile computing. Note that blind transformation allows some portion of the data (e.g., a) to be in clear. This enables 
use of some dynamic yet clear data in the rendering process, such as display window size, reference positions for 

5 shifting content, scaling factor and coefficients in a rotation operation. , 

[0104J Blind transformation works only if there exist functions F and P to compute the encrypted data. It can be 
shown that multivariate: integer coefficient affine functions using additive encryption schemes permit many document 
rendering functions of the affine type on the x- and y-coordinates to be evaluated in blind transformation. For a given 
encryption scheme S, a function F: X -> X is said to be S-blindly computable if there exists some function P : X -» X 

io such that the computational complexity for evaluating P is a polynomial of the one for evaluating F, and 

F(a,x) = D ko (F'(a,E k (x))) 

is for any k G K and x E X. A function F: X -> X is said to be blindly computable if there exists an encryption scheme S 
with X being a subset of its message space such that F is S-blindly computable. 

[01 05] Any multivariate, integer-coefficient affine function is S-blindty computable for any additive encryption scheme. 
Specifically, let 
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25 be a multivariate affine function with a constant x 0 G X, integer coefficients aj and variables x v ... x k in X. Then, for 
any key kGK, there exists a computationally efficient function 



such that 



40 Indeed, the constant y 0 and integer coefficients b t in P^ ^ ^ can be taken to be y 0 = E k (x 0 ), bj = a jt i= 1, k. The 

blind transformation of multivariate, integer coefficient affine functions using additive encryption schemes allows many 
document rendering functions of the affine type on the x-and y-coordinates to be evaluated in the blind manner, pro- 
viding a theoretical foundation tor the format-preserving encryption and trusted rendering of documents described 
herein. 

45 [0106] A document is usually a message that conforms to a certain format. For document encryption : in addition to 
simply encrypting the entire document, there are many ditterent ways to encrypt only some pans of the document. The 
poal here is that me inlormation leakage about the unencrypted ponion cannot be user!, or il it does leak : it is compu- 
tciu.-naih riiliiiuMi it nvoon: imc : ihc- c.ic-.l.. cripin&l o(=. mm vu ; 

[0107] 11 an encryption scheme which preserves formatting inlormation ot the digital work, men any transformation 
50 function (replay application or rendering application) may be used. An example of a format preserving encryption meth- 
od is described tor convenience with reference to token-based documents. The method for form at- preserving encryp- 
tion can be easily extended or applied to documents in other formats (such as HTML/XML. Microsoft WORD, Acrobat 
PDF, etc.). In a token-based format such as the Xerox DigiFaper, each page image of a document is represented as 
a "dictionary" of token images (such as characters and graphics elements) and location information (indicating where 
55 those token images appear in the page). Thus, multiple occurrences of the same token in the document can be rep- 
resented using just a single image of that token in the dictionary. 

[01 08] The process of rendering a document in such a format is then accomplished by consecutively reading in token 
locations, retrieving images of the tokens from the dictionary and drawing the images at the specified locations. The 
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benefits of token-based documents are compact file size and fast rendering speed for use in distributing, viewing and 
printing of electronic documents. In the DigiPaper format, tokens are stored as binary images using the CCITT Group 
4 compression f oimat, or as color images using JPEG compression, and the position information of the tokens is further 
compressed using Huffman coding. 

s [01091 For convenience, a token-based document D of P pages is formally modeled as a table (dictionary) of tokens 
T of size ITI, together with a sequence of P tables of locations L k of size IL k l (1 < i < P), representing the P page images. 
Each entry TTj] 1 < j < ITI, is a pair (id[j],trj)) of an identifier id[j] and an image t[j] of the j-th token. Each entry L,[k], 1 < 
k < IL I in the i-th image location table L| is a triple (id[k],x[k],y[k]) representing the k-th token occurrence in the i-th 
page image where id[k) is the token identifier, and x[k], y[k) are its x- and y-coordinate differences from the previous 

io (k -1 )-th token occurrence in the page. For example, take the simple document shown in Figure 1 1 . The token dictionary 
and location table (using x, y coordinates) for this document are shown in Figures 12 anb 13 respectively. 
[0110] The schematic pseudo-code Render(D) below shows how page images of a document D are rendered. In 
the code Xn y 0 are the base references for the x- and y-coordinates for each page, Lookup(T,id[k)) is a subroutine 
that upon the input of the dictionary T and a token identifier id[k], returns a token image t in T corresponding to the 

15 given identifier, and Draw(x,y,t) is a subroutine that draws the token image t at the location (x,y). 

Render(D) 
{ 

Load T into memory 
for i = 1 to P do 
{ 
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Load Lj into memory 

x = Xo 

y = yo 

for k = 1 to DU do 
{ 

x = x + x[k] 

y=y+ yM 

t = Lookup(T4d[k]) 

Draw(x,y,t) 



[0111] in addition to tne shining translocation >' = x + a s y = y + b as used in the scnematic rendering process 
described above, there are several other coordinate transtormations that may occur during the document rendering. 
[01 1 2] Scaling .' The scaling transformation is of the lorm x' = ax, y' = by, where a and b are scaling factors for the x- 
coordinate and y-coordinate, respectively. Scaling may be caused by resizing the display window or print paper. 
[0113] Rotation. The rotation transformation is 
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for some constants a, b, c, d, which form a 2-by-2 rotation matrix. This transformation is needed when the page image 
is rotated. 

[0114] Affine Transformation. An affine transformation is one of the form x = ax + by + e; y = cx + dy + f for some 
constants a, b, c, d, e, f. in the vector form, it is: 



Clearly, shitting, scaling and rotation transformations are special cases of affine transformations. It is those affine type 
transformations that make it possible to achieve a high-level trusted rendering under encryption of coordinate infor- 
mation using additive encryption schemes described below. 

[0115] A special class of encryption schemes, namely, additive encryption schemes, are used to carry out blind 
transformation of functions of the affine type, which provides a foundation for trusted rendering of documents. Blind 
transformation by a rendering transformation R and R* of an encrypted document satisfies the relationship: D(R'(E(x))) 
= R(D(E(x))), where E is an encryption function and D is a decryption function for E. If E(x) is an additive encryption 
scheme, then R* = R. 

[0116] An encryption scheme S generally consists of basically five components: (i) a message space X which is a 
collection of possible messages, (ii) a ciphertext space Y which is a collection of possible encrypted messages, (iii) a 
key space K which is a set of possible keys, (iv) a computationally efficient encryption function E : K x X -> Y and (v) 
a computationally efficient decryption function D : K x Y X For each key kGK, there is a unique key IcVe K, such 
that the encryption function E k = E{k,) : X V and decryption function = D{fc\) : Y -* X satisfy that, for every 
message x e X, 0* 1 (E k (x)) = x. The key k is called an encryption key and k" 1 its corresponding decryption key. 
[01 17] Such defined encryption schemes can be varied in several ways to cover a wide range of concrete encryption 
schemes used in practice. One variation is to consider whether or not keys used for encryption and decryption are 
different. In the case where all encryption keys k are same as their corresponding decryption keys k" 1 , the scheme is 
a symmetric (or private-key) one; otherwise, the scheme is asymmetric. In the case where, for all possible k, le 1 is 
55 different from k and computationally difficult to derive from k, the scheme is a public-key encryption scheme. 

[0118] Another variation is to differentiate deterministic and probabilistic encryption schemes. In a deterministic 
scheme, all the encryption and decryption functions E k and D k ., are deterministic functions, while in a probabilistic 
scheme'the encryption function E k can be non-deterministic, namely, applying the function to a message twice may 
result in two different encrypted messages. 
c0 [0119] An additive encryption scheme is an encryption scheme whose message space X and ciphertext space Y 
possess some additive structures and encryption function E k = E{k % ) : X — > Vis homomorphic with respect to the additive 
structures. Specifically, let X = (X, +, 0) and Y = (Y,©,0) be two commutative semigroups with (possibly different) zero 
elements 0 satisfying, tor example, for all x, x + 0 = x and 0 + x = x, and efficient operations + and ©. An encryption 
scheme is said to be additive if, for any k G K and any x t x' E X, E k (x + x') = E k (x) © E k (x'), and the operation © does 
45 not reveal the clear messages x and x\ The last condition on © makes additive encryption schemes non-trivial. Without 
this condition, the operation © on Y can be trivially defined y © y = E l; (D k . n (y) + D^y')); that is, it is accomplished by 
firsl decrypiino the arciumenif . Ihen addinp them topelhpi p.nd linalty rp-encryplinc the resuli 

(ini-Uj Clo&eiv i'M&im .« in«... f r.ci/piior. i.cntr.v-: 1 .. n-..«- * . . , 1. i-i.ciypium scheme is said tc t)f- 

multiplicative if its spaces X J and Y have the ring suuciures (i.e., in addition to their additive structures, they have 
50 respective multiplications x and ® that are distributive over their additions + and ©, and multiplicative identities), the 
encryption function E k is homomorphic with respect to the multiplications, E k (x x x 1 ) = E k (x) © E k (x § ); and the operation 
® does not reveal the clear messages x and x'. 

[0121] In general, additive (as well as multiplicative) encryption schemes are not non-ma1leable : since a non-malle- 
able scheme requires that, given an encrypted message it is (at least computationally) impossible to generate a different 
55 encrypted message so that the respective clear messages are related. Accordingly they have a weakness against 
active attacks where the adversary attempts to delete, add or alter in some other way the encrypted messages. How- 
ever, when these schemes are used to encrypt documents, extra measures in data integrity and message authentication 
can be taken to reduce risks caused by these active attacks on document integrity as well as confidentiality. Moreover, 
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end users are less motivated to initiate active attacks, as the attacks will affect document contents that the users are 

miSl 10 ToxTeZvZ** schemes can be defined as additive ones in an easy and natural manner. In fact some 
Ln^ ^signed with a requirement of being non-addit^e or at least being able tc > convert M n n- 

S^e N^IISess. there are many examples of additive encryption schemes that can be used ,n JfJ^J 
^^^^^^c^pt\on and trusted document rendering. Mult, Exp and EG (three determm.st.c schemesy OU 
(^W)^S RSA are examples of addtive encryption schemes (with varying degrees of vulnerably to attack) 
may be used in the format preserving method. 

[0123] Multiplicative Cipher (Mult) is a symmetric encryption scheme : where X = Y = Z n - {0, 1 , ... n 1} for some 
integer n > 0. The encryption of a message x using a key a is , 



y = E a (x) = ax(mod n) 

75 and the decryption of a message y using a key a is 

x = D a (y) = a* 1 y(mod n), 

po whpre a* 1 is the multiplicative inverse of a modulo n. e/sm _ 
mi241 Exponential Cipher (Exp) is a symmetric cipher, where X = and the ciphertext space Y - Zp for some 
primeV LTk is the se" of ail general of the mu.tip.icative group Zy For any generator g 6 K, the encrypt.on 
function is defined as the exponential function 

25 E fl (x) = g x (mod p), 

while the decryption function is defined as the logarithm function 

30 D g (y) = log g y (mod (p - 1)). 

[012S] Semi-probabilistic EIGamal Cipher (EG) extends the exponential cipher to the EIGamal cipher which leads 
he EIGamal cipher to run in a semi-probabilistic mode. For each message x £ Zp. where Zp = < 1 - "-^J^™ 
crime paTs a generator in the multiplicative group Z V the private decryption key for a user ,. a random number a > e 
z"™th; g ibfcIl^ion key « = g°(mod p) 6 Zp, The encryption E„(x, r) depends on a unrformly chosen random 
number r £ Z* p .v 

E a (x.r) = (g r (mod p), xo' (mod p)) = (s,t). 
For an encrypted message (s, t), the decryption function is defined as 

D u (s,t) = t(s°)' 1 (mod p). 

,0126] The EIGamal cipher in ,ts oripinal form as described above is hardly additive. However, the operator 9 can 
Le -p.rti.iiy def.ned on the ciphenext ol those x's that share a same random numbe, , as lo.low. 

si Eo(Xi r) © £ a ( x', r) = (s, t) © (s, f) = (s. t + f) = E a (x + x'(mod p), r). 

10127] This panially defined operation is applicable when a batch of messages are encrypted using a same random 

55 m^rOkamoto-Uchiyama; Cipher (OU). Okamoto and Uchiyama proposed an additive, public-key «cr*£n 
55 [0128] UKa ™ l ° » ^ uchivama "A New Public-Key Cryptosystem as Secure as Factoring , Eurocrypt98, 

S W ol „ c ,o,in 9 n . p=q agains, p=aa». adversaria* Coaae two >arge pr.mes p. q at k b«s ror same k > Card W 
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10 



n = p2q Choose g G Z* n at random such that the order of g p = g^ 1 (mod p*) is p. Let h = g" (mod n). The message 
space X of the OU scheme is the set Z\ (not the set {1 ,...2 k " 1 } as claimed by Okamoto and Uchiyama) and the ciphertext 
space Y is Z n . For a user, a public key is a tuple (n, g : h, k) and its corresponding private key is the pair (p, q) of the 
primes. To encrypt a message xGX.a random number r G 2 n is chosen uniformly. Then,the encrypted message is 

y=E (n . g ^. k) (x,r) = g x h r (modn). 

To decrypt the encrypted message y, a "logarithmic" function L:T -> T, 

L(x) = (x-1)p' 1 (modp 2 ) 



is used, where T is the p-Syiow subgroup of Z> i.e., r = {x e Z' p2 I x - 1 (mod p)J. With the function L, the decryption 
is function is 



x = D pq (y) = L(y M (mod p 2 ))L(g p )* 1 (mod p 2 ). 



20 [0129] New additive encryption schemes can be constructed from existing ones vie the composition construction of 
encryption schemes. The composition construction can also be used to construct additive encryption schemes from 
non-additive ones. For instance, the composition of the exponential cipher Exp and any multiplicative encryption 
scheme S (such as RSA) results in an additive one. 

[0130] Additive encryption schemes enable blind transformation with partially encrypted data, which serves a foun- 
ds dation for trusted rendering of documents, as discussed above. In particular, additive encryption schemes can be used 
to perform blind transformation of arfine functions with clear coefficients and encrypted variables. 
[01 31 ] Returning to the example of a token-based document , since a token-based document D consists of a dictionary 
T of token images and a sequence of location tables L, (one tor each page image), the idea is to encrypt the content 
of the dictionary T and location tables L h resulting in a dictionary T of encrypted token images and tables L'j of encrypted 
30 locations Recall that the dictionary T consists of a collection of pairs (idffl, tffl), j = 1. ■•■ ITI. Associated with T is a 
subroutine Lookup in the rendering process that, given a valid token identifier id, returns its corresponding token image 
t in T In encrypting the dictionary T, there are three basic choices: encrypting token identifiers, token images, or both. 
Encrypting either identifiers or token images helps unlink the connection between the identifiers and their token images. 
In addition encrypting token images protects proprietary token images. In any case, it is desirable to allow valid access 
35 to the dictionary only within the rendering process P, while making it computationally difficult to obtain a copy of the 
entire clear contents of the dictionary. This is possible because in many cases the valid identifiers (e.g., Huffman 
codewords) are only a very small subset of all binary strings of up to a certain length, and consequently any exhaustive 
identifier search will not be efficient. 

[01 32] More formally, given the dictionary T and the Lookup subroutine that accesses it, the requirement on encrypting 
40 the dictionary is that the encrypted dictionary T and the corresponding subroutine Lookup' satisfy the following con- 
straints: 

(1) For any encrypted identifier E k (id) : Lookup'(T\E k (id)) = E k (Lookup(T,id)) and 

(2) Given T and Lookup', it is computationally inteasible to reconstruct T. 

[01 331 For an encrypi.on scheme S. T and Lookup' can be conslrucied as follows . Lei ID be the sel ol all syntactically 
possible identifiers: in panicular, ID'c ID, where ID* = {id I fid.O S T). Let h be a one-way hash function whose domain 
is II. ."Iiifci.li.fr fcnf rypifri'Mfkfri. tIif.iioi.sr : *. i: OMivf-iMu.:.. & H in--: : u i * v» « ,i; j i». \. p'.-ir fMic.^Lj.Ujj ■: 
insened into T\ The modified subroutine Lookup' uses the algorithm: 
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Lookup'CTjd) 
{ 



id' = h(id) 

t/ = LookupCT^dO 

return (0 



} 



N oticethatthe return value of L ooku,is^ 

into the final subroutine DraW in the rendenng bo thl terms of storage-space overhead and in terms 
[0 134] This dictionary encryption « c ° m P u, a^ dictionaries. If the hashing and encrypt.on 

'any combination of the three elements can b ^IZlton of the affine type to the iocation coordinates^ 
scheme is recommended to enable applymg W"^™^™^ prote ction must be made. In a token-based 
For identifiers, a trade-ofl between document c ™* e ^™aT^e™ <<»*° compression purpose. For example, 
document, a token identifier is usuaily a codeword 9 ^ e &f& the bina ^ Huffman codewords of the 

when the Huffman code is used ,o compress J^^^,^ case , simply using a deterministic encrypt.on 
tokens based on their occurrence ^*^™J^*™™* n on them.This is because the scheme does not change 
scheme to encrypt these identifiers offers n ^^^tcan re-count the number of occurrences of the encrypted 
the occurence frequency of each token, and he ^"^^wmerm. Therefore, in order to hide occurrence f re- 
identifiers to re-construct the Huffman codeword :Va prSl.is«c encryption schemelo encrypt the idenUfmrs. 
agencies of the tokens in the document ,t ■^^^ ld ^T^) and reduce the document 

\ probabilistic and asymmetric one like the O amo o -Uch-yam c pher OU t jfP ^ ^ 

not a big problem. For each entry (:d,x,y) in L„ insert (id E k ( ).E M) ™ case thfi entrjes in the 

dent Js entries like (E k (id),E k (x),E k ( y )) may be • "J* ^Ts^vL Lookup' above also needs to be 
encrypted dictionary T need to be changed to (E k (id),E k (t)) s, ana 

modified to reflect the change. , oke n-based document mentioned above, the document content 

™ - * » *«- * °— - • 

process is given shown below. 



Render(D) 

{ 
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fori.= 1 to P do 

{ 

Load Li irito memory 

x = E k (xo) 

y = ^(yo) 

for k = 1 to QJ do 

{ 

x = x 0 x[k] 

y = y e y[k] 

t = Lookup'(r,id[k]) 

Draw , (x,y,t) 

} 

} 

} 

Draw'(x,y,0 
{ 

x = Dk.i(x) 
y = Dk-i(y) 
t = Dk-i(0 
Draw(x,y,t) 

} 



During the process, all the coordinate and token image information remains encrypted before calling the subroutine 
Draw'(x,y,t). This is possible tor the coordinate intormation because the encryption scheme is additive. Consequently, 
the content protection level and rendering process performance of the rendering process rely on the security strength 
and computational complexity of the scheme used. 

[0138] In another embodimem of the invention, a dipiiai work is. polarized enabling trusted rendering or replay of the 
dipital work without depolarization o( the dioiial content or ihc-- Presentation date.. In this embodiment, the digital work 
is. ihe lype which inciuo'fe.- ou-ii;.. . -i-i.ifem fai.ci letotM^ n,n,r..«..u ,i;mm c alifec c. m aer,, context), hesource intormatioi. 
includes formatting inlormatidn or other information used by a replay or rendering application to convert the digital work 
into presentation data. 

[01 39] Polarization is a type of transformation which renders the original content unreadable or unusable. For a digital 
work w, a polarization scheme T, which uses a seed s, generates a polarized digital work w' according to: w' = T(w, s). 
The same transformation T may also be used to generate the polarized resource information S' according to S' = T(S, 
s). In this example, a seed s is used to make reverse engineering of the polarization scheme more difficult. 
[0140] For example, a document type digital work may be polarized using a simple polarization scheme. In a docu- 
ment the digital content comprises a series of characters in a particular order or location. If the document is to be 
displayed on a viewing device, each character must be able to be displayed at a particular location for viewing by a 
user on the viewing device, such as on a monitor A coordinate system is required tor displaying each character on 
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appears at the top line, indented by five SP***- abQve paragrap h is to translate the location of the 

[0 T41] A simple P°'^ a,i0 V SCh ^^ (x.y) location. Suppose the location 

!SLn functions may be used to polarize the above paragraph: 
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Y = by, for the vertical axis; and 
X = x/a, for the horizontal axis. 



y = logb(Y), tor the vertical axis; and 
X= aX, for the horizontal axis, 



where log b is the logarithm with base b. charac ter in the polarized digital work, the location is 

[0 143] When the replay application obta.ns the , loca ™ P em {X>Y) m (l09b(Y ), aX) =(x,y).Th U s 

Liven by (X.Y) = (x/a, bv). This value is of polarization, the polarized forms of the 

the replay application is able to provide clear presentation dat€ ». encty p tion , depending on the sensitivity of 

0i44? While polarization, in general, is not as rigorous a protec ^ s J^^ e * ork may require a high level 
S digital worMo be protected, different levels of po.anza ,o can be ^ujjd. A ^sen fe ^ fl 

of po.arization; a lower valued work may requ.re a weaker ^ o ^ ^ ^ fe ^ K 

,ower level of polarization may ^ i U8 . ed -^";J2^nd "render or replay the polarized digital work. The type and 
system resources to create the po.anzed J polari2 ation scheme to determine the level 

quality of the polarization seed may also be used , , corrt b.na ™ 1 J ^ (such as one containing authorizat.on 
and strength of the polarization. For ^"gher level of polarization and strength, 

.nlonmation from a trusted source or a JJT^^lSI^urtiO location. Digital works are polarized usually 

paanzed Digital «o* and me pottnzM !■«««. ^° ( ™ „, oulce wonnatloi. an ptcMad » «» user 

encryption scheme usee;. .... ...... oeiiMSiiM. <■■ 
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„..,. r , ( . r ,- ;f < '•«•"■"■/■ r ' ! ''^ nrt n oar.zat.on otmeresou.ee imormal.on. Once me polar.zat.on 

lne po.anzat.on seed, po.anzanon o. me d.g.ta, "^^P^^ ation engine takes as input the digital work or 
seeS is generated, the polarization eng.ne ,s '^^V^^^ or t he resource information based upon 
he resource information, and generates ,„. ^nzed form - ^ ^ ^ po|ari2ed digital WO rk, the polarized 
-transfer— 

,0148] A process for creating a polanzed d g tal work « . shown rendering the digital content mto a 
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the digital content is polarized and the resource information is preserved, creating polarized digital work 1422. The 
content polarization 1420 may occur as shown with reference to Figure 9. A digital work typically includes content, 
instructions and formatting. While polarization can occur to the entire digital work., preferably only the content is polar- 
ized; the instructions and formatting are not polarized. However, in some instances, for some replay applications, some 
of the resource information contained within the digital work may also be polarized. This is similar for the format pre- 
serving encryption method described above. 

[0149] Resource extraction 1412 extracts at least one resource information from the set of resource information 
associated with digital work 1410. Extraction consists of copying the resource information into a system resource file 
1414. System resource 1414 is then polarized at resource polarization 1416 to become polarized system resource 
1424. The polarization scheme for content polarization and resource polarization need not be the same. Preferably, 
each polarization scheme employs a polarization seed 1418 which is generated by seed generator 1426. Several 
exemplary methods for seed generation are described below. In particular, in a preferred embodiment, the polarization 
seed is based on unique information from the user's system. 

[01 50J Several techniques for generation of the polarization seed may be used. For example, a seed generator which 
generates a number from a random number generator may be used. This method, referred to as stateless polarization, 
does not depend on any secret key information and user system information. The process for stateless polarization 
yields a specific value for the system for polarization. The inherent vulnerability for digital security systems may be 
found in mishandling secret information, mathematical complexity, and algorithmic complexity. Eliminating the secret 
information seals off one target of attack. With stateless polarization, a random number generator produces the polar- 
ization seed. In this case, once the polarization process is complete the seed is discarded without a trace. Hence, the 
security of the system is free from attack focused on compromising the secret information, and the user need not 
divulge sensitive information that may be deemed a privacy violation. 

[0151] Another seed generator that may be used is a state-based generator. The state-based seed generator con- 
structs a seed by first acquiring system state information from the user's replay system or rendering device. System 
state information includes hardware identifiers, system settings and other system state-related information. While there 
is much value in stateless polarization, other security requirements may require use of an inseparable link to a particular 
user system or device. By generating the polarization seed from system/device-specific information, the polarization 
engine will produce a digital work that is polarized to a form that corresponds to a specific system/device. 
[0152] The polarization seed generator can also be tied to an authorization process. In authorization-based polari- 
zation, the seed generation can be tie in with the outcome of the authorization process. A separate authorization 
repository (which is a trusted source) provide authorization information as part of some other security feature associated 
with delivering access to a digital work to a user. The trusted source of authorization information may be an online 
authorization repository as described in US Patent No. 5,629,980. This authorization information is then used to gen- 
erate a polarization seed. 

[0153] If a stateless polarization seed is used, the digital work and its resource information may be polarized and 
stored together for delivery to a user when a user purchases the associated rights of use for the particular digital work. 
It one of the other polarization seed generation methods is used, polarization typically must wait until the user provides 
the system state or authorization information before the digital work and resource information may be polarized. 
[0154] An embodiment which provides a higher level of protection in terms of ensuring that the digital work may be 
replayed only on a specific physical system or device uses a dynamic state-based polarization seed. In this embodi- 
ment, a polarization engine and polarization seed generator must be provided to the replay application or rendering 
device along with the digital work and resource information. In this embodiment, the digital work and resource infor- 
mation are polarized prior to replay and rendering using a seed which is generated based on the dynamic state of the 
particular system or device. The dynamic state may come, for example, trom the system clock, CPU utilization, hard 
drive allocation, cursor coordinates., etc. By polarizing the work using a snapshot of a dynamic state, the work is locked 
to a panicular system conliguraiion (i.e. : state) in time. Polarization of the digital work, and ultimately iis blind replay 
(described below), is based upon a dynamically evolving stale. Top evolution of ihe dynamic siale does not yield unique 
:i-i:iYrl infom-iotioi, th£i Elm*-: n-r-frhU-ibiiiii o! li.cj-uit.iUf.il-,. : un. :: . r.i.f ii*-i«\f iv nftmic-ttaie based pol&rizatior 
makes compromising the polarized digital work and system coniext more diflicult. Since the polarization process is 
carried out within a trusted system, it is implied that the process can not be deconstructed. 

[0155] The actual process of polarization can be, as described in the example above, an algorithmic-based trans- 
formation -parameterized by the polarization seed. During polarization, the data and resource identifiers of the digital 
work are transformed as described above. The structure of the digital work is unaltered, however, such that the original 
format, such as PDF, DOC, WAV. or other format, is retained much like in the format preserving encryption. Similarly 
the polarization of the resource information yields a polarized form of the resource information such that the resource 
identifiers, element identifiers and resource characteristics are transformed, yet the structure of the system context 
remains unaltered. By polarizing the digital work and resource information according to the same seed based on a 
user's specific device or system information, an inseparable relationship is established such that the work cannot be 
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replayed to its clear form with any other device or user system. If circulated in an unauthorized manner, the protection 

W 561 * Du "ngblind replay, the unique characteristics of the polarized resource information enable the replay appli- 
cation to p"operly eplay the polarized digital work and generate unpo.arized or clear presentation data Because the 

5 To tal work and the resource information were transformed in a complementary manner, the polarized elements of he 
2a work such as the resource identifiers and data, unknowingly reference the complementary elements wnh.n the 
Source of the system context. Due to the matching transformation the proper elements withm the context are iden- 
,Ted I by tN J replay application such that the resultant presentation data appears in the clear. Hence, the work .s pro- 
tected until the last possible moment after replay. . 

io 01571 As discussed earlier, the conventional distribution of digital works via the web ,s re.at.vely stra.ght.onvard 
The work is created using an editor, posted to a web site, accessed by the user audience and replayed ,n a v.ewer o 
In a display system. If a content owner does not desire to protect his/her digital work (or if the content owner trusts a 
users who will receive the work), the digital work is provided "in the clear" i.e., without any encoding, encryption or 

« ^° X :TZ^^^o the user, system, . is typically stored in memory. ,f the digital work is 
provided via a storage media, such as floppy disk or CD-ROM or DVD-ROM, the digital work ,s usually accessed 

?S 'Tordeno plTyTe digital work, referring to Figure 1 5, the digita. work 1 510 is provided to a replay application 
512 in the case of a document or other type of digital work which requires formatting information or resource in or- 
20 nation the digital work will include digital content plus resource information setting forth the particular system context 
or system resources needed by the replay application to process the digital content. For example, the digital work ^1 510 
may be a text document in which the text is displayed using the Ariel font. When replay application 1512 accesses 
Source information on digital work 1 51 0 indicating Ariel font is used, it accesses the approbate system resources 
1516 [which in this case is the Ariel font table) and uses the system resource information to convert the d.grla. content 

" Zi^fZ^^o^ convening the digita, content into presentation data is sufficient for use by the 
t er n others, presentation data is only an intermediate form which must be furlher converted. For example, ,n he 
else of a display system 152. which is a printer, the presentation data 1514 must be further rendered by rendering 
appneation 1518. Rendering app.ication 1518 may be a decomposer within the printer. «Jon «18 

uses other system resources 1516 to transform the presentation data 1514 into image data 1520. Image data 1520 s 
"a form which can be directly displayed on display device 1 522 (in the case of a printer output as a pnnted document). 
0161 7n addition to the earlier described systems and methods for protecting a digital work during replay, a dig tal 
work may be protected during replay by polarizing the digital work in accordance with a f.rst polanzat.on scheme which 
ToduTes polarized content and preserves the digita. work's resource information. A portion of the digital work's resource 

£SS and p° iarized in accordance wrth a second polari2a,ion ECheme - Referringt f ° F,g r ? fi : 6 e ?S 

LoSon 1612 uses the polarized resource information 1614 (and any other system resource information 1 61 6 that 
may be required) to transform the polarized digital work1610 into dear presentation data 1618. Presentation data us 
rTecessaS in the clear, which means i, can be captured by other programs (such as a screen capture ut.lny program). 
However!he output of such other programs is not in the same forma, and frequently not of the same fidelity as the 

40 S' "Spoked resource information can be though, of as acting like a po.arizing fitter to bring the polarized 
dioital content into a clear image (presentation data). This system is a blind replay system ,n that the replay application, 
which can be any commercial apphcation, does not know or need to know the clear digita. content. Blind replay operates 
To any uan to ma°on function^ such that R(w',s') = R(w,s). where W is the polarized digita. content the clear 

« d°oita. content s' is the polarized resource intormation and s is the unpolarized resource information. Bhnd replay of 
Srized dig" al works using polarized resource intormation is different from blind transformation desenbed above .n 
mm b ind Say produces clear p.esen.a.ion data without having to depolarize it. In blind transformation, the replay 
apphcau on convert, .he encvpted d.pita. wor* into encyp.ed presentation data which murf then be decked In both 

mi 63] ''Wino replay (also caliedwlnd rendering) using a polarized digital work and polarized resource intormation 
can be used alone to protect the digital work during replay as we., as in addition to regular encryption. For example^ 
'he polarized digita. work and po.arized resource information may be encrypted to protect t during distribution then 
deck ed at the user's system into the po.arized digital work and polarized resource informat.on. The user must first 
ootaT permission from the content owner or the distributor acting on behalf of the content owner (in order to decrypt 
the encrypted digita, work) . Once the user is qualified, the encrypted po.arized digita. work and the encrypted po.arized 
resource information are decrypted and the po.arized digital work is replayed in the replay application using the po.ar- 

iorerTh^compTxirof rendering a digital work into a usable form for viewing by a user can be used to furlher 
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protect the digital work during replay. Referring to Figure 1 7, polarized digital work 1 71 0 is provided to replay application 
1712, which uses polarized system resources 1716 and other system resources 1718 to transform polarized digital 
work 1 71 0 into partially polarized presentation data 1 71 4. In this embodiment, display system 1 728 is needed to trans- 
form presentation data into a form usable by the user. Partially polarized presentation data 1>71 4 is provided to rendering 
application 1720 which uses polarized system resources 1716 5 local system resources ) 722 and system resources 
1 71 8 to transform the partially polarized presentation data 1 71 4 into clear image data 1 724. Clear image data 1 724 is 
then displayed on display device 1726 for use by the user. In this embodiment, presentation data is still polarized, 
taking the location of the clear data to a later point of the display process and providing further protection. 
[0165] To enhance usability of the system for polarization of digital works, the polarized resource information may 
be separated from the digital work and tied to a transportable device such as a smart card. In this embodiment, the 
replay application 1 71 2 plays back the work using the polarized system resources 1716. Instead of having the polarized 
system resources 1716 stored in a local memory, along with the polarized digital work, 1710, the polarized system 
resources 1716 is stored in a transportable device such as a smart card. Also, the smart card, possibly with hardware- 
enhanced features, may possess attributes that provide for tamper resistance. Within the transportable context, the 
polarized data is processed by the replay application 1712 to yield the partially polarized presentation data and then 
provided to the rendering application 1720. 

[0166] Many different types of digital works can be protected throughout use using the polarization method. For 
example, if the digital work is a document or text file, the replay application may be a word processor, system resources 
or resource information may include font tables, page layout, and color tables. If the digital work is audio or video data 
(e.g., streams), the replay application may be an audio or video player. The presentation data will be the audio/video 
final data stream. The display system may be an audio/video device. The rendering application may be the audio/video 
device driver. The image data may be the audio/video device data stream and the display device may be the audio/ 
video rendering device (speaker or monitor, for example). 

[0167] For a digital work that is an audio/video data stream, the system resources or resource information may 
include characteristics of the audio/video device: sample rate (samples per second - e.g., 8 kHz, 44.1kHz), sample 
quality (bits per sample - e.g., 8, 16); sample type (number of channels - e.g., 1 for mono, 2 for stereo), and sample 
format (instructions and data blocks). A table of some audio/video data streams and their corresponding resource 
information or variable parameters which can be selected for polarization is set forth below: 
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Digital Work: A/V Data (Streams) 


Extension 


Origin 


Variable Parameters (# Fixed) 


Compression 


Player 


.mp3 


MPEG standard 


sample rate, quality, tftype 


MPEG 


MP3 Player 


.ra 


Real Networks 


sample rate, quality, #type 


Plug-ins 


Real Player 


.wav 


Microsoft 


sample rate, quality, #type 


ADPCM 


Window Media 


snd 


Apple 


sample rate, Equality, #type 


MACE 


QuickTime 



[0168] The structure of a digital work can be used advantageously for polarization. While it is possible to polarize 
the entire digital work, it is more convenient to polarize only a portion of the digital work. Most digital works include 
three primary elements: instructions, data, and resources. Preferably, only the data and resources of the digital work 
are polarized, much like the format preserving encryption method described above. By selectively transforming only 
the data and resources, a digital work may be transformed such that the content remains in the original format, yet the 
data and resources are incomprehensible. 

|0169] The general layout ol a digital work of the document type is shown in Figure 16. In Figure 16, digital work 150 
induct? r-ep^Dercriplf-fii: Crnur I r criM !•/.. if* anr s 1 C: . R<v5 t urrv- in* Milk : V. f ?:nr:r»::ir l fiO fine 1 1P4. 1 l.r- 
haye Descriptors 152 tielint jiib general layout oi h work, hoi instance, Hit uzt, page numuei. anc margins lah 
into the category of Page Descriptors with respect to digital documents. Control Codes 154, 158 and 162 are similar 
in that they describe the presentation of the content. Examples include commands to set text position, output text, set 
font type, and set current screen coordinates. Resource Identifiers 156 simply reference the desired resources. In the 
digital document realm, resources could vary from font typeface to background color. Finally, Data 1 60, 1 64 represent 
the core information communicated by the digital work. This could be the drawing coordinates used in a multimedia 
clip or the character codes for rendering as a digital document. 

[01 70] An example of a digital work (in this case a simple digital document) and one of its polarized forms are shown 
in Fiaures 1 9 and 20, an HTML document in clear and polarized form. The tags <html> and <body> are Page Descrip- 
tors.~The <font>...<\font> tag is an example of a Control Code for setting font resource characteristics, while "Arial" 
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and "14" are Resource Identifiers for an Arial typeface, 14 point font. The "Hello World" text is the Data, or the core 
information of the work. The <p> is another Control Code to signal the beginning of the paragraph. Finally, the document 
is closed out with Page Descriptors <\body> and <\html> to identify the end of the document. 

[01 71 ] Figure 20 shows what the digital work of Figure 1 9 looks like in a polarized form. It can be seen that the Page 

5 Descriptor and Control Code tags remain unaltered; the <html>, <body> and <font> tags are unchanged. Whereas, 
the Resource Identifiers, "Arial" and "14", have been transformed to indecipherable values. Similarly, the Data, "Hello 
World" has also been transformed to an indecipherable value. By transforming the Resource Identifiers and the Data 
the content is rendered meaningless while in the polarized form. Yet, the fact that the Page Descriptors and Control 
Codes remain intact allows for the document to retain its original format, which in general could be HTML, Adobe PDF, 

10 RealNetworks RAM, Apple QuickTime, etc. , 

[0172] The system context (or system resources or resource information) can be thought of as the collection of 
system resources available to a replay application on a particular system. For example, it may include the Font Table, 
Color Palette, System Coordinates and Volume Setting. When a digital work is input to a replay application, the replay 
application uses the particular resource information contained within the digital work to transform the digital content 

is into presentation data. Each system context or resource information contained within a digital work is or can be altered 
to be unique to a system for which it can be replayed. The system context is a required element for the use of the 
digital work, tying use of the digital work to a specific system or physical device or replay application for replay. The 
Resource Identifiers and Data within the digital work may either directly or indirectly reference elements contained 
within the system context. Polarizing the digital work and system context enable blind rendering into clear presentation 

20 data. By polarizing the system context with a polarization seed that is tied to a unique system, the resulting polarized 
system context can be a unique environment in which a complementary polarized digital work, which has been polarized 
with the same polarization seed, may be accessed and replayed. 

[01 73] Figure 21 illustrates a typical configuration of the system context. The elements include the resource identifier 
(ResID), element identifier (ElemID), and resource characteristics (Characteristics). The ResID includes pertinent in- 
25 formation for other system components to reference the resources. The ElemID is the identifier of an individual element 
within the resource. Finally, the Characteristics are the actual resource characteristics used to express the individual 
resource element. 

[0174] Figure 22 is an illustration of the resource for the font table pertaining to the Arial typeface. The key resource 
identifier in this case is the font name, "Arial" Following the ASCII convention, the number 48 identifies the individual 
30 resource element identifier. The resource element characteristics for the ElemID represent the information to express 
the letter 'a'. 

[01 75] Figure 23 is an illustration of the polarized the system context for the font resource shown in Figure 22. I he 
resource identifier itself is transformed to "k1 3k2". The element identifier itself need not be transformed, as it is sufficient 
enough to transform the resource characteristics alone. In this case, "48" is depicted as transformed to express the 

35 characteristics for 'Y' instead of 'a'. 

[0176] Polarization and blind rendering may be used for many different types of digital works. In addition to Docu- 
ments, polarization and blind rendering may be used for audio/video data. As noted above, audio/video data is generally 
provided in the form of streams. A replay application is the audio/video player which transforms the digital audio/video 
stream into a final data stream which can be processed by a transducer (speaker) into an audio output or by a display 

40 into a video image. 

[01 77] Referring to Figure 1 7, replay application 1712 corresponds to an audio/video player which generally operates 
by sampling the audio/video input streams 1710 at some sample rate, quality and type accepted by a target audio/ 
video device. It uses the audio/video system resources to sample, mix and produce audio/video streams and then 
mixes the resampled audio/video streams to produce a final audio/video stream in a format expected by the target 
45 device, in the case of an audio/video player, the presentation data 1 71 4 is the final mixed audio/video stream at some 
sample rate, auality, type and format expected by a target audio/video device. 

[0178] The target audio/video device (e.g. : rendering application 1720) is some hardware system that is able to 
convert the audio/video stream (presentation data 1714) at a specific sample rate, quality, type (channel) and lormat 
ic- c. PAi orNTfCitc n.tf r.-M-ifi r.pric/vinc-c rial? ". 7.'-* . I- : i.ri.r i-i Msmc (tMffi ii.cludf. round cards, speakers 
u monitor*, ai.o the oignai lo anbiuc, uunvene. .ocaiea within me buuiu/vioeo oev.ct. Ivany oev.ces are ableio play audio/ 
video streams at a range of different sample rates. Image data 1 724 (e.g. an audio signal or a video image stream) is 
generated by the audio/video device driver 1720 and "consumed" by the display device 1726. 

[0179] For example, to polarize an audio/video data stream, it may be split into two or more separate streams. One 
stream is polarized and one stream is unpolarized. Each stream may have different device characteristics (resource 
55 information): sample rates, channels, qualities and/or formats associated with it. The device characteristics (one or 
more of the stream's sample rates, channels, qualities and/or formats) may also be polarized to generate the polarized 
resource information. 

[0180] Blind replay of the polarized audio/video stream is accomplished in a similar manner as for a polarized digital 
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document. The replay application (audio/video player) mixes together the unpoiarized stream and the polarized stream, 
and using the polarized resource information, produces a polarized final data stream for the target audio/video device 
with a correct set of resource information. The target device (1 720) uses the polarized resource information to play the 
polarized data stream generating clear sound/visual effects (1 724). , 

5 [0181] While certain exemplary embodiments of the invention have been described iij detail above, it should be 
recognized that other forms, alternatives, modifications, versions and variations of the invention are equally operative 
and would be apparent to those skilled in the art. The disclosure is not intended to limit the invention to any particular 
embodiment, and is intended to embrace all such forms, alternatives, modifications, versions and variations. For ex- 
ample, the portions of the invention described above that are described as software components could be implemented 

10 as hardware. Moreover, while certain functional blocks are described herein as separate and independent from each 
other, these functional blocks can be consolidated and performed on a single general-purpose computer, or further 
broken down into sub-functions as recognized in the art. Accordingly, the true scope of the invention is intended to 
cover all alternatives, modifications, and equivalents and should be determined with reference to the claims set forth 
below. 



15 

Claims 

1. A method of protecting a digital work, z, during transformation by a transformation function, F, into presentation 
20 data F(z), comprising: 

encrypting the digital work, z, in accordance with an encryption scheme, E; 

using a blind transformation function P to transform the encrypted digital work E(z) into encrypted presentation 
data, F'(E(z)), wherein F' is a function of F; and 
25 decrypting the encrypted presentation data, P(E(z)), in accordance with a decryption function, D, to obtain 

the presentation data, F(z) : wherein D(F'(E(z)) = F(z). 

2. The method of claim 1 , wherein the encryption scheme E is a formal preserving encryption scheme. 

30 3. The method of claim 1 , wherein the encryption function E is an additive encryption scheme and wherein P = F. 

4. The method of claim 3, wherein the additive encryption scheme is selected from the group consisting of Mult, Exp, 
EG.. OU, RSA and compositions thereof. 

35 5. The method of claim 1 , wherein F' is a polynomial of F. 

6. A system of protecting a digital work, z, during transformation by a transformation function, F, into presentation 
data F(z), comprising: 

40 an encryption engine for encrypting the digital work z in accordance with an encryption scheme, E; 

a blind transformation function F' for transforming the encrypted digital work E(z) into encrypted presentation 
data, F'(E(z)), wherein F is a function of F; and 

a decryption engine for decrypting the encrypted presentation data, P(E(z)), in accordance with a decryption 
function, D, to obtain the presentation data, F(z), wherein D(F'(E(z)) = F(z). 

45 

7. The system of claim 6, wherein the encryption scheme E is a format preserving encryption scheme. 

; . mc: r vsio-m ol clsim ; . w-i.Kinr.ihf encryption hin^iu-i. . i: s :. f.ffhm ■ r- r.i i : -\:\uu. «cheme and wherein F' = F 

i 

50 9. The system of claim 8, wherein the additive encryption scheme is selected from the group consisting of Mult, Exp, 
EG, OU, RSA and compositions thereof. 

10. The system of claim 6, wherein F' is a polynomial of F. 

55 
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